| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Oct 2022 11:39:39 -0700 From: Apple Product Security via Fulldisclosure <fulldisclosure@...lists.org> To: security-announce@...ts.apple.com Subject: [FD] APPLE-SA-2022-10-24-6 tvOS 16.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-24-6 tvOS 16.1 tvOS 16.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213492. AppleMobileFileIntegrity Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed by removing additional entitlements. CVE-2022-42825: Mickey Jin (@patch1t) AVEVideoEncoder Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2022-32940: ABC Research s.r.o. CFNetwork Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: Processing a maliciously crafted certificate may lead to arbitrary code execution Description: A certificate validation issue existed in the handling of WKWebView. This issue was addressed with improved validation. CVE-2022-42813: Jonathan Zhang of Open Computing Facility (ocf.berkeley.edu) Kernel Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32924: Ian Beer of Google Project Zero Kernel Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: A remote user may be able to cause kernel code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-42808: Zweig of Kunlun Lab Sandbox Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: An app may be able to access user-sensitive data Description: An access issue was addressed with additional sandbox restrictions. CVE-2022-42811: Justin Bui (@slyd0g) of Snowflake WebKit Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: Visiting a malicious website may lead to user interface spoofing Description: The issue was addressed with improved UI handling. WebKit Bugzilla: 243693 CVE-2022-42799: Jihwan Kim (@gPayl0ad), Dohyun Lee (@l33d0hyun) WebKit Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. WebKit Bugzilla: 244622 CVE-2022-42823: Dohyun Lee (@l33d0hyun) of SSD Labs WebKit Available for: Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A logic issue was addressed with improved state management. WebKit Bugzilla: 245058 CVE-2022-42824: Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research, Ryan Shin of IAAI SecLab at Korea University, Dohyun Lee (@l33d0hyun) of DNSLab at Korea University Additional recognition iCloud We would like to acknowledge Tim Michaud (@TimGMichaud) of Moveworks.ai for their assistance. Kernel We would like to acknowledge Peter Nguyen of STAR Labs, Tim Michaud (@TimGMichaud) of Moveworks.ai, Tommy Muir (@Muirey03) for their assistance. WebKit We would like to acknowledge Maddie Stone of Google Project Zero, Narendra Bhati (@imnarendrabhati) of Suma Soft Pvt. Ltd., an anonymous researcher for their assistance. Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNW14YACgkQ4RjMIDke NxmyxQ//V8g3f1Q3mu8+thoVYnyT5lU3Krfa3MqTPPCVLVZnUBjC65ctqS3tHIzz AzPxydul/82XS3ps9Hd/YOd5fjU/JRDqXJNX5CmQLW0xW9NQUgQ67fCH2uYhkmWl vTozaGxjl/3N7Ogc447FbDWMMMtQaFHEv/SoXWVeCZHGHCU+KCdU2uaaC4VsrtTg JBxByj+IOnY7aKQIttK4hmSuwtlVZgcGQhUywpwJRQXaBKUhtUL1diQfFgCQVNQT zuFyZg0PJr+0/HJ/v3xkHXFpfp1G3VxVGJzbI/4Ny7ow16oFbcCAL63u8txW6TpK d8HHfawUTzqxUIA5WEP5bm4PdmcINUgw83lu9ogqEuLhWeY9t8Hy9AHYuTrCRGDo 8zLdhWR/Yw6Gk+TbY7UYYUIjBegLVlIpZlEnTwfn0S2oI4e7bwdjwGguEzeZUwf3 AYQf7EsQpxPHWvMbE1AQmyOEDydTYh/sfQtEJZK30zwJK3ZUq7RJLBsRgsjJXi75 0B+rgmJu0h48Y00HAk0LZOACF9VvSaSW6RLPgA+of/tb8wQNEdXErZdb8xSnE/Kl F5TsvbatbUd1wstV4vJ4SBUrG8HZLDaj29bPFfh206PQ4escm5UHgTQu85A2pbP3 toJD10+fz2lvzwnSjeU/U/PMwfN2P7QP3YKL+o73hBoBr+davZM= =Fnsx -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists